[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] DLL hijacking with Autorun on a USB drive
- To: Valdis.Kletnieks@xxxxxx
- Subject: Re: [Full-disclosure] DLL hijacking with Autorun on a USB drive
- From: Christian Sciberras <uuf6429@xxxxxxxxx>
- Date: Wed, 1 Sep 2010 00:59:06 +0200
> (and yes, "interpreted data" like shell scripts and Java .class files and
> Flash
> are the sort of neither-fish-nor-fowl that give security models headaches, so
> don't bother flaming about that. ;)
OK. Also add exploits in non-executable data as well (such as a certain gif...).
What was your point again?
Cheers.
On Wed, Sep 1, 2010 at 12:56 AM, <Valdis.Kletnieks@xxxxxx> wrote:
> On Wed, 01 Sep 2010 08:34:47 +1000, paul.szabo@xxxxxxxxxxxxx said:
>> Christian Sciberras <uuf6429@xxxxxxxxx> wrote:
>>
>> > Why do you say harmless? Because you know a text file can't do
>> > anything at all.
>>
>> Exactly. The victim is attempting to view a plain text file. Surely
>> that can be done safely?
>
> Only if your OS's security model understands the fact that executable code
> and data belong in different security domains and thus different rules should
> apply about what files to "trust" in each category.
>
> (and yes, "interpreted data" like shell scripts and Java .class files and
> Flash
> are the sort of neither-fish-nor-fowl that give security models headaches, so
> don't bother flaming about that. ;)
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/